强化 Java 中 JSON 注入的错误
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/49800113/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Fortify error on JSON Injection in Java
提问by shrey mathuria
I am getting SUBSCRIPTION_JSONfrom client which I am converting it to String and then setting it to Model Object using gson library. On running the code on Fortify security, It is giving me Json injection error on below code with following message :
我从客户端获取SUBSCRIPTION_JSON,我将其转换为 String,然后使用 gson 库将其设置为模型对象。在 Fortify security 上运行代码时,它给我以下代码的 Json 注入错误,并显示以下消息:
Here is the error :
这是错误:
On line 159 of ActionHelper.java, the method jsonToObject() writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.
Explanation
JSON injection occurs when:
1. Data enters a program from an untrusted source.
In this case the data enters at getString() in **SubscriptionAction.java** at line 355.
2. The data is written to a JSON stream.
In this case the JSON is written by fromJson() in **ActionHelper.java** at line 159.
SubscriptionAction.java
订阅操作.java
final String subscriptionJson = subscriptionForm.getString(SUBSCRIPTION_JSON);
ActionHelper.java
动作助手.java
public static <T> T jsonToObject(final String jsonString, final Class<T> className) {
T object = null;
if (StringUtils.isNotBlank(jsonString)) {
final Gson gson = (Gson) BeanLocator.getInstance().getBean(GSON);
object = gson.fromJson(jsonString, className);
}
return object;
}
SUBSCRIPTION_JSON->
SUBSCRIPTION_JSON->
{
"subscriptions": [{
"attributeId": "1",
"items": [{
"strId": "ALL",
"nodeType": "G"
}, {
"strId": "VO_ENTRY_TIMING_DELAY",
"nodeType": "L"
}, {
"strId": "O_INVALID",
"nodeType": "L"
}, {
"strId": "O_LINE_INVALID",
"nodeType": "L"
}, {
"strId": "V_INVALID",
"nodeType": "L"
}, {
"strId": "V_ADDRESS_INVALID",
"nodeType": "L"
}]
}, {
"attributeId": "2001",
"items": [{
"strId": "OSTBU",
"nodeType": "L"
}]
}]
}
采纳答案by JuliaVI
You must validate the json received to be sure it contais exactly the expected content before setting it to Model Object. You can implement an validator that checks the json with a patterns of fields/format expected, for example.
在将其设置为模型对象之前,您必须验证收到的 json 以确保它包含完全符合预期的内容。例如,您可以实现一个验证器,该验证器使用预期的字段/格式模式检查 json。
回答by Anil Kumar
You have to sanitize the JSON before converting it to java object. This is tested solution and it removed this fortify warning.
在将 JSON 转换为 java 对象之前,您必须对其进行清理。这是经过测试的解决方案,它删除了这个强化警告。
<dependency>
<groupId>com.mikesamuel</groupId>
<artifactId>json-sanitizer</artifactId>
<version>1.0</version>
</dependency>
InputStream responseBodyAsStream = null;
responseString = EntityUtils.toString(httpResponse.getEntity(),"UTF-8");
String wellFormedJson = com.google.json.JsonSanitizer.sanitize(responseString);
Map map = mapper.readValue(wellFormedJson, Map.class);
Hope this helps..!!
回答by Bhushan Dhapodkar
I encountered the same issue. You need to sanitize json data, by using json-sanitizer you can achieve it.
我遇到了同样的问题。你需要清理 json 数据,通过使用 json-sanitizer 你可以实现它。
Add this dependency in your project
在您的项目中添加此依赖项
<dependency>
</dependency>
Add this line in your code
在您的代码中添加这一行
String newsanitizestring = JsonSanitizer.sanitize(passyourjsondatahere);
Now use this string newsanitizestring
现在使用这个字符串 newsanitizestring
回答by Suchi
1) Use "JsonSanitizer.sanitize(string)". (Here parameter to sanitize method is your JSON input)
1) 使用“ JsonSanitizer.sanitize(string)”。(这里 sanitize 方法的参数是您的 JSON 输入)
2) To use JsonSanitizer dependency can be added as below in pom.xml:
2) 要使用 JsonSanitizer 依赖项,可以在 pom.xml 中添加如下:
<dependency>
<groupId>com.mikesamuel</groupId>
<artifactId>json-sanitizer</artifactId>
<version>1.2.0</version>
</dependency>
